b'REVIEW OF DCA CONTROLS OVER THE SHARP SYSTEM\n\n\n\n\n             Audit Report No. 00-018\n                  May 22, 2000\n\n\n\n\n              OFFICE OF AUDITS\n\n      OFFICE OF INSPECTOR GENERAL\n\x0cFederal Deposit Insurance Corporation                                                         Office of Audits\nWashington, D.C. 20434                                                            Office of Inspector General\n\n\n\n   DATE:            May 22, 2000\n\n   TO:              Stephen M. Cross, Director\n                    Division of Compliance and Consumer Affairs\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n   SUBJECT:         Report Entitled Review of DCA Controls over the SHARP System\n                    (Audit Report 00-018)\n\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has completed\n   its review of the Division of Compliance and Consumer Affairs\xe2\x80\x99 (DCA) controls over the reliability of\n   the Scheduling, Hours, And Reporting Package (SHARP) system. We have also reviewed the Division\n   of Supervision\xe2\x80\x99s (DOS) controls over SHARP and have issued a separate report to DOS.\n\n   We had also planned to review DCA\xe2\x80\x99s Compliance Statistical System (CSS). This system has been\n   used to track the progress of Compliance and Community Reinvestment Act (CRA) examinations, but\n   we were informed by DCA that this system will be replaced with the new System of Uniform Reporting\n   of Compliance and CRA Examination (SOURCE) in June 2000. Therefore, we did not perform a\n   review of CSS.\n\n\n   BACKGROUND\n\n   The SHARP system is a computerized scheduling, hours, and reporting tracking system. It has\n   been developed for DCA and DOS to standardize the process of collecting and reporting hours\n   utilization information for examiners.\n\n   DCA employees are responsible for recording their own hours in SHARP. Within the system,\n   hours are allocated by activity codes according to the type of task performed. Such tasks include,\n   for example, bank examinations, training, and travel. For bank examinations, hours can be\n   allocated by specific examinations and by various kinds of examination activities. In addition,\n   hours that examiners work inside a bank can be differentiated from those hours worked outside\n   the bank. The system also tracks hours by office codes, which allows for hours to be reported by\n   office, including detail assignments. Once the employees have entered their hours on their\n   computer, they upload the data to a central database.\n\x0cDCA management uses SHARP information for examination management and budget purposes,\nanalyzing and tracking examination time spent, and projecting future staffing needs.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nOur objectives were to determine whether the SHARP system as used by DCA (1) has proper\ninternal controls in place and (2) generates accurate and reliable information. We reviewed\nSHARP data for the months of May and September 1999.\n\nWe performed fieldwork in the DCA Washington, D.C., headquarters office. We focused our\nreview on the internal controls in place and the system\xe2\x80\x99s ability to generate accurate and reliable\ndata. We obtained and reviewed the SHARP User Manual and interviewed the SHARP system\nliaison, DCA management and staff, and the Division of Information Resources Management\n(DIRM) project manager for SHARP. We judgmentally selected SHARP hours reports for May\n1999 and September 1999 for review. The review was conducted in accordance with generally\naccepted government auditing standards. Our review was performed from October 1999 through\nFebruary 2000.\n\n\nRESULTS OF REVIEW\n\nOverall, the SHARP system generally meets the needs of DCA examiners and management. DCA has\ndeveloped an exception reporting process that identifies disparate data entries, and when such entries\nare identified, DCA follows up on them. However, during our review we noted some controls that\nshould be strengthened over the data in the SHARP system to ensure data integrity. These controls\nrelate to the input and review of employee hours, the prevention of data alteration, and the\nperformance of regional office reviews.\n\nWe attempted to test the system\xe2\x80\x99s data integrity to determine whether the system generates accurate\nand reliable data. However, due to the internal control weaknesses noted above, we decided to\npostpone further testing until a future audit is conducted, once the internal controls have been\nstrengthened. Our results are discussed in more detail below.\n\n\nINPUT AND REVIEW OF EMPLOYEE HOURS\n\nAccording to the SHARP User Manual, all examiners should enter their record of hours worked into\nthe SHARP system \xe2\x80\x9con a daily basis if possible. In this way, the data will have the highest degree of\naccuracy. If hours cannot be entered daily, they should be entered as often as possible.\xe2\x80\x9d\n\nDuring our review of SHARP reports for May 1999 and September 1999 for three DCA regions, we\nfound, on average, that 8 percent of the employees entered less than the required 80 hours per pay\nperiod. SHARP does not identify employees who do not enter any hours at all.\n\nTimely and accurate data entry is an important practice when tracking time charges to specific\nexaminations. At the end of an examination, DCA generates a report from the SHARP system, the\n\n\n                                                 2\n\x0cPage A Report, which details the hours by examiner, grade, activity, and division. In addition,\nexamination hours spent inside the bank and outside the bank are identified separately. DCA uses this\ninformation to establish benchmarks for subsequent examinations and to plan for resource levels\nneeded to complete its workload. If the Page A Report is generated and examiners either have not\nentered their time charges into SHARP or have entered them incorrectly, the Page A Report will not\naccurately reflect resources devoted to the examination.\n\nThrough interviews with DCA management in Washington, we also identified that examiners-in-\ncharge, field office supervisors, and regional managers are not required to review or approve examiner\ntime charges on a regular basis. We were told that examiners-in-charge are conscious of hours\ncharged to their examinations (as the hours appear on the Page A Report) and that they would be alert\nto any major discrepancies that occurred.\n\nReview of the Page A Report alone does not provide assurance that all the hours entered in SHARP\nare accurate, because the Page A Report captures data associated with examination activities only. It\ndoes not identify hours for non-examination activities, such as annual leave and training.\n\n\nPREVENTION OF DATA ALTERATION\n\nDuring our review we found that SHARP users are able to change their hours in the SHARP database.\nThe ability to alter time charges raises concerns over the reliability of data in management reports.\n\nIf changes are made to the SHARP data, the SHARP system does not retain the previous date(s) when\nhours were entered into the system; it also does not track the sources of subsequent data changes.\nConsequently, if changes are made several times, there is no audit trail to determine when the previous\nchanges were made. The SHARP system does include a date when data is entered, but the date\nchanges each time an employee corrects a data record. Consequently, the date retained in the system is\nthe last date when an employee updated the record.\n\nWe reviewed a sample of time charge records for employees in several DCA regional offices for May\n1999 and September 1999. The SHARP report showed that 77 employees entered the system from\nAugust through December 1999 and accessed their May and September 1999 time charges 3 to 7\nmonths after the pay period end. The 77 employees include 44 employees in the Chicago region, 21\nemployees in the Dallas region, and 12 employees in the New York region. The system does not track\nwhether the time charges for the 77 employees had been altered or not. However, we believe it should\nbe rare for time charges to be accessed 3 to 7 months after the pay period end.\n\n\n\n\n                                                3\n\x0cPERFORMANCE OF REGIONAL OFFICE REVIEWS\n\nDuring the course of our fieldwork and meetings with DCA, we noted that DCA does not perform\nregional office reviews of the SHARP data. We believe that these reviews would be useful to DCA\nand its mission.\n\nWe were informed by DCA recently that it has implemented policies and procedures to perform\nreviews of the SHARP data on the regional offices on a quarterly basis. The first quarterly review was\nperformed in late January 2000 for the fourth quarter of 1999. We reviewed the reports used by DCA\nto perform the review and believe that DCA should continue with these reviews on a regular basis.\n\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe believe that DCA needs to strengthen its controls to provide a higher level of reliability for the\nSHARP data. We believe that improved controls would not require extensive DCA resources, and\nthat those controls would enhance the reliability of management reports. Because SHARP is relied\nupon to track DCA workload and to help plan for future resource use, we believe DCA should take\naction to address the control weaknesses we identified.\n\nAccordingly, to increase the reliability of management reports generated by the SHARP system, we\nrecommend that the Director, DCA:\n\n(1) Instruct examiners to complete their time charges on a daily basis, or as frequently as possible, as\n    required by the SHARP User Manual;\n(2) Require examiners-in-charge and/or field office supervisors to review time charges on a regular\n    basis for accuracy;\n(3) Pursue with DIRM the possibility of changing the SHARP system to lock in time charges after a\n    certain period of time, or some other method of limiting the ability to change data;\n(4) Pursue with DIRM the possibility of retaining the original date that data is entered into SHARP in\n    addition to the currently maintained date of last entry or access; and\n(5) Continue quarterly reviews of SHARP data in the regional offices.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn April 12, 2000, the Director, DCA, provided a written response to the draft report. The response\nis presented in Appendix I of this report.\n\nManagement agreed with all of the recommendations. Corrective actions will be implemented by the\nend of the second quarter of 2000 for recommendation 1 and by the end of the third quarter of 2000\nfor recommendations 2 and 3. With regards to recommendation 4, DCA has already contacted DIRM\nto discuss financially viable options to retain the original date as well as retaining the most recent date\ndata is entered in SHARP. DCA management stated that \xe2\x80\x9ca feasibility and cost analysis was performed\nthat indicated a major revision to the application would be needed to address this issue and that it\nwould be prohibitively expensive to make this change. A decision was made that it would be too\n\n\n                                                  4\n\x0cexpensive to pursue adding an electronic audit trail of this nature.\xe2\x80\x9d However, DOS stated in its\nmanagement response letter that DIRM would continue to look at alternative methods of either\ncapturing and retaining the original date or other methods of better tracking user changes. Since the\nSHARP system is a shared system between DCA and DOS, any changes made by DOS will also affect\nDCA. Therefore, we accept DCA\xe2\x80\x99s response to recommendation 4. In reference to recommendation\n5, DCA recently implemented policies and procedures to perform reviews of the SHARP data on the\nregional offices on a quarterly basis. The first quarterly review was performed in late January 2000 for\nthe fourth quarter of 1999.\n\nThe Corporation\xe2\x80\x99s response provided us with the requisite elements of a management decision for all\nrecommendations. The Director, DCA, agreed to take action on our recommendations. We concur\nwith and accept management\xe2\x80\x99s response to the recommendations.\n\n\n\n\n                                                 5\n\x0c                                                                                APPENDIX I\nFederal Deposit Insurance Corporation\n550 17th Street, NW, Washington, DC 20429                               Division of Compliance and Consumer Affairs\n\n                                              April 12, 2000\n\nTO:                  David H. Lowenstein, Assistant Inspector General\n                     OIG Office of Audits\n\n\n\nFROM:                Stephen M. Cross, Director\n                     Division of Compliance and Consumer Affairs\n\nSUBJECT:             Response to Draft Report Entitled Review of DCA Controls over the SHARP\n                     System\n\nThank you for the opportunity to comment on your draft report Review of DCA Controls over the\nSHARP System. As requested in your memorandum dated March 20, 2000, we are presenting our\nresponse to the OIG\'s Office of Audits recommendations contained in the aforementioned report both\nin hard copy and electronic format.\n\nRecommendation 1 - Instruct examiners to complete their time charges on a daily basis, or as\nfrequently as possible, as required by the SHARP User Manual.\n\nDCA believes it is unnecessary for examiners to enter their hours information into SHARP on a daily\nbasis. The examiners travel frequently and it is often not convenient for them to enter SHARP data\ndaily. While the more frequent the data entry, the less likely it is that activities will be forgotten or\ncoded incorrectly, daily entry is often not feasible. Therefore, DCA is in the process of changing the\nSHARP User Manual to instruct staff to enter hours as often as possible, but not less than every two\nweeks. The changes to the User Manual are currently undergoing the approval process. Once\napproved, the electronic version of the Manual will be updated on the SHARP Intranet Web page. We\nexpect this process to be finished by the end of the second quarter, 2000. DCA will notify SHARP\nusers, as well as the OIG, once the electronic Manual is updated.\n\nRecommendation 2 - Require examiners-in-charge and/or field office supervisors to review time\ncharges on a regular basis for accuracy.\n\nWe agree with the OIG that the data entered into SHARP need to be reviewed for accuracy. As part\nof the SHARP User Manual update, statements have been added that instruct examiners-in-charge to\nreview hours data on the Page A Workpaper for reasonableness. As stated above, DCA will notify the\nOIG when the electronic Manual is updated.\n\nIn the next SHARP guidance memo DCA develops, a statement will be included that expresses the\nnecessity and importance for data integrity purposes that time charges are reviewed by the Field Office\nSupervisor for accuracy. Regional Directors can use the quarterly exception reports to determine if\ntheir Field Office Supervisors are indeed performing accuracy checks. The Field Office Supervisors\nwill be given the latitude to develop their own method of performing data accuracy checks. DCA will\ninclude the OIG on the distribution list of the next guidance memo, which is expected to be developed\n\n\n                                                   6\n\x0c    and distributed in the third quarter, 2000.\n\n    Recommendation 3 - Pursue with DIRM the possibility of changing the SHARP system to lock\n    in time charges after a certain period of time, or some other method of limiting the ability to\n    change data.\n\n    The OIG draft report states that a large number of records sampled showed examiners had accessed\n    their time charges that were three or more months old. However, DCA doesn\'t believe that examiners\'\n    altering their time charges is necessarily a negative occurrence. On November 22, 1999 DCA issued its\n    first quarterly exception report that identified examiner time charges requiring management review.\n    Regional Office Directors were instructed to review the hours, and where necessary, have corrections\n    made by examiners. On December 30, 1999 DCA issued a memo to provide further guidance and\n    clarification on SHARP activity code descriptions. As a result of these two memorandums, DCA\n    anticipated that examiner staff would review their hours charged throughout 1999 and make\n    corrections where necessary so that hours data could be reported accurately.\n\n    The SHARP system does not currently have an audit trail system that tracks changes made to the data.\n     DCA and DOS met with DIRM to discuss financially viable options for locking in data and limiting the\n    ability to change data. The software will be revised to limit the length of time that a user can go back\n    to and make changes or entries. Users will now be allowed to make entries and changes for the 180\n    day period preceding the current date. This timeframe will allow review of uploaded data by audit and\n    management groups, who can then request that users make necessary corrections. Any changes to\n    earlier dates will have to go through the SHARP Administrator and be documented. If a user attempts\n    to upload a change to an earlier date, a warning message will be provided and the data captured in an\n    exception report. This exception report can then be provided to the SHARP Administrator, with\n    explanation, for processing.\n\n    DCA will notify SHARP users, as well as the OIG, via memorandum once the limitation on the\n    SHARP system is in place. DIRM anticipates that this change can be made to the application by the\n    end of the third quarter, 2000.\n\n    Recommendation 4 - Pursue with DIRM the possibility of retaining the original date that data\n    are entered into SHARP in addition to the currently maintained date of last entry or access.\n\n    DCA and DOS met with DIRM to discuss financially viable options to retain the original date data are\n    entered as well as the most recent date data are entered into SHARP. Therefore, a feasibility and cost\n    analysis was performed that indicated a major revision to the application would be needed to address\n    this issue and that it would be prohibitively expensive to make this change. A decision was made that it\n    would be too expensive to pursue adding an electronic audit trail of this nature. We don\'t believe that a\n    serious problem exists since examiners appear to be making changes to correct mistakes, and not to\n    manipulate their data. Therefore spending the money on such an enhancement would not be cost\n    effective. If the OIG believes a serious problem exists that needs to be corrected, we will certainly\n    consider any cost effective alternatives the OIG may suggest to track data changes made in the system.\n\n*   In the response to the "Altering Time Charges" section of the Draft Report, the OIG makes two\n    statements that need to be clarified. The first statement is \xe2\x80\x9cConsequently, when changes are made,\n\n\n                                                     7\n\x0c    there is no audit trail to determine when the changes are made or by whom.\xe2\x80\x9d The SHARP system does\n    retain the date when the changes are made; however, it does not currently retain the date when the\n    original entry was made. The system does not reflect who made the change because data entries are\n    only made by the actual user. The only exception is those limited cases where the SHARP\n    Administrator may need to make corrections and these changes are and will continue to be\n    documented.\n\n*   The second statement that needs to be clarified is \xe2\x80\x9cThe SHARP system does include a date when data\n    is entered, but the date changes each time an employee accesses a data record.\xe2\x80\x9d The entry date only\n    changes if the user either makes a change to the data or accesses one of the \xe2\x80\x9cdrop-down\xe2\x80\x9d selection\n    boxes (since the system cannot easily tell if a different selection was made from the box.) The date\n    does not change if the user simply views the data.\n\n    Recommendation 5 - Continue quarterly reviews of SHARP data in the regional offices.\n\n    DCA will continue to produce and distribute the quarterly exception reports developed in late 1999.\n    Regional Office management and Field Office Supervisors will review the reports, and where\n    necessary, have data corrected.\n\n    If you have any questions, please contact Melissa D\'Onofrio, Associate Director for Operations, at\n    202-942-3223.\n\n\n\n    * The final audit report has been revised to clearly reflect the current SHARP\n    system controls.\n\n\n\n\n                                                    8\n\x0c                                                                                                                                                      APPENDIX II\n                                                  MANAGEMENT RESPONSES TO RECOMMENDATIONS\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual reports to the\nCongress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the response\nmust describe for each recommendation\n    \xc2\xa7 the specific corrective actions already taken, if applicable;\n    \xc2\xa7 corrective actions to be taken together with the expected completion dates for their implementation; and\n    \xc2\xa7 documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement. In\nthe case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response. If management does not agree that a recommendation should\nbe implemented, it must describe why the recommendation is not considered valid. Second, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of\naction already taken or proposed and (2) the documentation confirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for\nmanagement decisions is based on management\xe2\x80\x99s written response to our report.\n                                                                                                   Documentation That                         Management\n  Rec.                                                                          Expected              Will Confirm            Monetary       Decision: Yes or\n Number            Corrective Action: Taken or Planned/Status                 Completion Date         Final Action            Benefits              No\n             DCA is in the process of changing the SHARP User Manual                               SHARP User Manual\n                                                                                                                                 Not\n    1        to instruct staff to enter hours as often as possible, but not   Quarter 2, 2000      SHARP Intranet Web                              Yes\n                                                                                                                              Quantifiable\n             less than every two weeks.                                                                 Page\n             DCA has updated the Sharp User Manual with instructions\n             to examiners-in-charge to review hours on the Page A\n             Workpaper for reasonableness. In the next SHARP                                      Copy of guidance memo          Not\n    2                                                                         Quarter 3, 2000                                                      Yes\n             guidance memo, a statement will be included that expresses                             provided to all staff     Quantifiable\n             the necessity and importance that time charges are reviewed\n             by the Field Office Supervisor for accuracy.\n                                                                                                      Copy of SHARP\n             DIRM will revise software to limit the length of time that a                                                        Not\n    3                                                                         Quarter 3, 2000      limitation memo to all                          Yes\n             user can go back to make changes or entries.                                                                     Quantifiable\n                                                                                                            staff\n             DCA and DOS met with DIRM to discuss financially viable\n                                                                                                  Management\xe2\x80\x99s response\n             options to retain the original entry dates and determined                                                           Not\n    4                                                                              N/A            to the draft report dated                        Yes\n             that it would be too expensive to pursue adding an electronic                                                    Quantifiable\n                                                                                                           4/12/00\n             audit trail.\n             DCA will continue to produce and distribute the quarterly                            Management\xe2\x80\x99s response\n                                                                                                                                 Not\n    5        exception reports developed in late 1999.                             N/A            to the draft report dated                        Yes\n                                                                                                                              Quantifiable\n                                                                                                           4/12/00\n\n\n\n                                                                                   9\n\x0c'